This posting is here to collect cyber security news in August 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in August 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
543 Comments
Tomi Engdahl says:
Newly Uncovered PyPI Package Drops Fileless Cryptominer to Linux Systems https://thehackernews.com/2022/08/newly-uncovered-pypi-package-drops.html
A now-removed rogue package pushed to the official third-party software repository for Python has been found to deploy cryptominers on Linux systems. The module, named “secretslib” and downloaded 93 times prior to its deletion, was released to the Python Package Index
(PyPI) on August 6, 2022 and is described as “secrets matching and verification made easy.”. “On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware and crypters, ” Sonatype researcher Ax Sharma disclosed in a report last week.
Tomi Engdahl says:
Spyware Scandals Are Ripping Through Europe https://www.wired.com/story/europe-spyware-scandals-greece/
THE TEXT MESSAGE that dragged Thanasis Koukakis into what’s being called Europe’s Watergate scandal was so innocuous, he can barely remember receiving it. This one addressed him directly. “Thanasis, ”
it read, “Do you know about this issue?” Koukakis clicked on the link that followed, which took him to a news story about a Greek banking scandal. He replied with a terse: “No.”. Koukakis, 44, did not think about the message until months later. In the days that followed, he was oblivious to the fact that the website that hosted the story he was sent had disappeared. He also did not know that by clicking on that link, he had opened an invisible door inside his phone, allowing spyware software called Predator to creep in to silently watch the messages and calls he was sending and receiving.
Tomi Engdahl says:
https://www.securityweek.com/assange-lawyers-sue-cia-spying-them
Tomi Engdahl says:
Microsoft Announces Disruption of Russian Espionage APT
https://www.securityweek.com/microsoft-announces-disruption-russian-espionage-apt
Tomi Engdahl says:
Secure Boot Bypass Flaws Affect Bootloaders of Many Devices Made in Past Decade
https://www.securityweek.com/secure-boot-bypass-flaws-affect-bootloaders-many-devices-made-past-decade
Bootloaders present in a majority of computers made in the past 10 years are affected by Secure Boot bypass vulnerabilities, according to firmware security company Eclypsium.
Secure Boot is a mechanism designed to protect a device’s boot process from attacks, and bypassing it can allow an attacker to execute arbitrary code before the operating system loads. This can be useful for installing stealthy and persistent malware.
Eclypsium has identified Secure Boot bypass vulnerabilities in the Eurosoft (CVE-2022-34301) CVE-2022-34303, New Horizon Datasys (CVE-2022-34302), and CryptoPro Secure Disk for BitLocker (CVE-2022-34303) bootloaders. The company said these bootloaders are present in nearly all devices made in the past decade, including ARM and x86-64 devices.
The Eurosoft and CryptoPro Secure Disk bootloader bugs involve signed UEFI shells, with attackers being able to bypass Secure Boot by abusing built-in capabilities. For these security holes, exploitation can easily be automated using startup scripts, Eclypsium said.
The company noted, however, that these shells have a visual component that could be seen by a user on a monitor — although that might not be a problem on servers and industrial systems, which often run without a monitor.
Exploitation of the New Horizon Datasys vulnerability is easy and stealthy, which makes it a more likely candidate for exploitation in the wild.
“This bootloader contains a built-in bypass for Secure Boot that leaves Secure Boot on but disables the Secure Boot checks. This bypass can further enable even more complex evasions such as disabling security handlers. In this case, an attacker would not need scripting commands, and could directly run arbitrary unsigned code,” Eclypsium explained.
Tomi Engdahl says:
Weaponized PLCs Can Hack Engineering Workstations in Attacks on Industrial Orgs
https://www.securityweek.com/weaponized-plcs-can-hack-engineering-workstations-attacks-industrial-orgs
Researchers have shown how hackers could weaponize programmable logic controllers (PLCs) and use them to exploit engineering workstations running software from several major industrial automation companies.
PLCs can be a tempting target for threat actors as they can be abused to cause damage and disruption, and to make changes to the processes they control. This is why they are often seen as the ultimate goal of an attacker.
However, researchers at industrial cybersecurity firm Claroty wanted to show that PLCs can also be used as a point of entry into an organization, being leveraged to target the engineering workstations connected to them and from there the rest of the internal network.
In such an attack, named ‘Evil PLC Attack’, the hacker first compromises the PLC, which can often be exposed to the internet and unprotected, and then tricks an engineer into connecting to the PLC from the engineering workstation. This could be achieved by causing a fault on the PLC, which an engineer would likely want to investigate.
During this research, vulnerabilities have been discovered in engineering workstation software from ABB (B&R Automation Studio), Emerson (PAC Machine Edition), GE (ToolBoxST), Ovarro (TwinSoft), Rockwell Automation (Connected Components Workbench), Schneider Electric (EcoStruxure Control Expert) and Xinje (XD PLC Program Tool).
Tomi Engdahl says:
Kaunis nainen pommitti Kimmoa mobiilipelissä – huijari ei tiennyt valinneensa huonoimman mahdollisen kohteen
Kalifornialaisnainen halusi suhteen, joka johtaisi avioliittoon.
IT-asiantuntija Kimmo Rousku päätti huijata huijaria.
https://www.iltalehti.fi/tietoturva/a/d20876ea-1514-44fc-a4da-0229b956061f
Tomi Engdahl says:
Lähes 2000 OP:n asiakkaan luottokorttinumerot paljastuivat – näin tarkistat, koskeeko sinua https://www.is.fi/digitoday/tietoturva/art-2000009007849.html
Tomi Engdahl says:
Digital Ocean dumps Mailchimp after attack leaked customer email addresses
Somebody went after crypto-centric companies’ outsourced email but the damage was felt in the cloud
https://www.theregister.com/2022/08/16/digital_ocean_dumps_mailchimp/
Tomi Engdahl says:
SOVA malware adds ransomware feature to encrypt Android devices
https://www.bleepingcomputer.com/news/security/sova-malware-adds-ransomware-feature-to-encrypt-android-devices/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-aim-ddos-attacks-at-counter-strike-servers/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/microsoft-blocks-uefi-bootloaders-enabling-windows-secure-boot-bypass/
Tomi Engdahl says:
https://www.cbsnews.com/news/earth-spinning-faster-than-usual-shortest-day-ever/
Tomi Engdahl says:
Hackers attack UK water supplier but extort wrong company
https://www.bleepingcomputer.com/news/security/hackers-attack-uk-water-supplier-but-extort-wrong-company/
South Staffordshire Water, a company supplying 330 million liters of drinking water to 1.6 consumers daily, has issued a statement confirming IT disruption from a cyberattack.
As the announcement explains, the safety and water distribution systems are still operational, so the disruption of the IT systems doesn’t impact the supply of safe water to its customers or those of its subsidiaries, Cambridge Water and South Staffs Water.
“This is thanks to the robust systems and controls over water supply and quality we have in place at all times, as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis,”
Clop misidentifies victim?
Meanwhile, the Clop ransomware gang claimed Thames Water as their victim via an announcement on their onion site today, alleging to have accessed SCADA systems they could manipulate to cause harm to 15 million customers.
Thames Water is UK’s largest water supplier and wastewater treatment provider, serving Greater London and areas surrounding river Thames.
Tomi Engdahl says:
Multiple cloud vendors impacted by PostgreSQL vulnerability that exposed enterprise databases https://portswigger.net/daily-swig/multiple-cloud-vendors-impacted-by-postgresql-vulnerability-that-exposed-enterprise-databases
Wiz Research has found vulnerabilities in popular PostgreSQL-as-a-Service’ offerings from various cloud vendors, introduced by the cloud vendors themselves. Earlier this year, the security outfit discovered a chain of critical vulnerabilities in Microsoft Azure Database for PostgreSQL Flexible Server. The exploit, named #ExtraReplica, allowed unauthorized read access to other customers’ PostgreSQL databases, bypassing tenant isolation. “The isolation was not perfect, and we had network access from our managed instance to other customers’ instances, which opened an attack surface for other potential vulnerabilities, ” Shir Tamari, head of research at Wiz, tells The Daily Swig.
Tomi Engdahl says:
Malicious browser extensions targeted almost 7 million people https://www.bleepingcomputer.com/news/security/malicious-browser-extensions-targeted-almost-7-million-people/
Almost 7 million users have attempted to install malicious browser extensions since 2020, with 70% of those extensions used as adware to target users with advertisements. The most common payloads carried by malicious web browser extensions during the first half of 2022 belonged to adware families, snooping on browsing activity and promoting affiliate links. This finding is based on telemetry data collected by Kaspersky, which reports over 1, 300, 000 attempts by users to install malicious extensions throughout H1 ’22, an increase compared to last year’s figures. From January 2020 to June 2022, Kaspersky recorded adware extensions targeting 4.3 million unique users, corresponding to roughly 70% of all malicious extensions in that period.
Tomi Engdahl says:
New MailChimp breach exposed DigitalOcean customer email addresses https://www.bleepingcomputer.com/news/security/new-mailchimp-breach-exposed-digitalocean-customer-email-addresses/
DigitalOcean is warning customers that a recent MailChimp security breach exposed the email addresses of some customers, with a small number receiving unauthorized password resets. The company says they first learned of the breach after MailChimp disabled their account without warning on August 8th. DigitalOcean used this MailChimp account to send email confirmations, password reset notifications, and alerts to customers. DigitalOcean says that on the same day, a customer notified their cybersecurity team that their password was reset without authorization. Believing that their MailChimp account was breached, DigitalOcean says they reached out to the company but didn’t hear back until August 10th, when they learned that a hacker had gained access to MailChimp’s internal support tools.
Tomi Engdahl says:
Signal says 1, 900 users’ phone numbers exposed by Twilio breach https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/
End-to-end encrypted messaging app Signal says attackers accessed the phone numbers and SMS verification codes for almost 2, 000 users as part of the breach at communications giant Twilio last week. Twilio, which provides phone number verification services to Signal, said on August 8 that malicious actors accessed the data of 125 customers after successfully phishing multiple employees. Twilio did not say who the customers were, but they are likely to include large organizations after Signal on Monday confirmed that it was one of those victims.
Signal said in a blog post Monday that it would notify about 1, 900 users whose phone numbers or SMS verification codes were stolen when attackers gained access to Twilio’s customer support console
Tomi Engdahl says:
Critical Vulnerability in Google’s Titan M Chip Earns Researchers $75,000
https://www.securityweek.com/critical-vulnerability-googles-titan-m-chip-earns-researchers-75000
Security researchers at Quarkslab have published detailed information on a critical vulnerability they discovered in Google’s Titan M chip earlier this year.
Introduced in 2018, Titan M is a system-on-a-chip (SoC) designed to deliver increased security protections to Pixel devices, including guaranteeing secure boot.
Tracked as CVE-2022-20233, the newly detailed vulnerability was addressed as part of Android’s June 2022 security patches, when Google described it as a critical escalation of privilege bug.
According to Quarkslab’s researchers – who discovered the issue and reported it to Google – the security flaw can be exploited to achieve code execution on the Titan M chip.
The vulnerability is an out-of-bounds write issue that exists because of an incorrect bounds check. Exploiting the bug to achieve local escalation of privilege does not require user interaction.
Tomi Engdahl says:
https://www.securityweek.com/signal-discloses-impact-twilio-hack
Tomi Engdahl says:
Ransomware Group Claims Access to SCADA in Confusing UK Water Company Hack
https://www.securityweek.com/ransomware-group-claims-access-scada-confusing-uk-water-company-hack
A ransomware group has hit at least one water company in the United Kingdom, but there is some confusion over whose systems were actually breached.
The Cl0p ransomware group has claimed on its Tor-based leak website that it has breached the systems of Thames Water, which advertises itself as the UK’s largest water and wastewater company, serving 15 million people.
However, cybersecurity experts have pointed out that while Cl0p names Thames Water on its site, the files leaked as proof of the breach actually appear to belong to a different water company named South Staffordshire, whose subsidiaries, South Staffs Water and Cambridge Water, serve 1.6 million people and tens of thousands of businesses in the UK.
On its website, Cl0p names Thames Water with the company’s address and revenue, but a phone number and a second address shown on the same page belong to South Staffs Water. Some leaked documents also reference South Staffordshire and South Staffs Water.
Tomi Engdahl says:
When your software that’s built on software is built on software that’s got a bug, then your software’s software’s software’s got a bug, your software’s software’s got a bug, and your software’s got a bug.
Researchers found one-click exploits in Discord and Teams
https://www.malwarebytes.com/blog/news/2022/08/researchers-found-one-click-exploits-in-discord-and-teams?utm_campaign=RT&utm_medium=social
A group of security researchers have discovered a series of vulnerabilities in Electron, the software underlying popular apps like Discord, Microsoft Teams, and many others, used by tens of millions of people all over the world.
Electron is a framework that allows developers to create desktop applications using the languages used to build websites: HTML5, CSS, and JavaScript. It’s an open source project that has been used as the foundation for some extremely popular apps. Electron itself is built on the open source Chromium browser project (the basis of Google Chrome), and the NodeJS JavaScript runtime which is built on Chromium’s V8 JavaScript engine—a significant source of Chrome security problems.
Tomi Engdahl says:
Disabling Transport Layer Security (#TLS) 1.0 and 1.1 by default for #InternetExplorer and #EdgeHTML on September 23, 2022
TLS 1.0 and TLS 1.1 will be disabled on September 13, 2022
https://www.tenforums.com/windows-10-news/197173-tls-1-0-tls-1-1-will-disabled-september-13-2022-a.html
We are updating the timeframe for disabling TLS 1.0 and TLS 1.1 by default for Internet Explorer and EdgeHTML, the rendering engine for the WebView control. TLS 1.0 and TLS 1.1 will be disabled by default for both starting September 13, 2022.
Organizations that wish to disable TLS 1.0 and TLS 1.1 before that date may might do so using Group Policy. The Microsoft Edge Legacy desktop application is no longer in scope for this timeframe, as it reached end of support on March 9, 2021.
Please note: We are not deprecating TLS 1.0 and TLS 1.1 support. We are simply disabling it by default, giving organizations the option to turn it back on through Group Policy (if needed, for compatibility reasons). Individuals can turn it back on for their personal devices by navigating to Tools > Internet Options > Advanced in Internet Explorer.
Tomi Engdahl says:
North Korean hackers use signed macOS malware to target IT job seekers https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-signed-macos-malware-to-target-it-job-seekers/
North Korean hackers from the Lazarus group have been using a signed malicious executable for macOS to impersonate Coinbase and lure in employees in the financial technology sector. While it is no surprise that they’re targeting workers at Web3 companies, details about this specific social engineering campaign so far were limited to malware for the Windows platform. Lazarus hackers have used fake job offers in the past and in a recent operation they used malware disguised as a PDF file with details about a position at Coinbase. Compared to the previous macOS malware attributed to the Lazarus group of hackers, ESET researchers observed that the downloader component connects to a different command and control (C2) server, which was no longer responding at the time of the analysis.
Tomi Engdahl says:
Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers https://thehackernews.com/2022/08/researchers-link-multi-year-mass.html
A Chinese state-sponsored threat activity group named RedAlpha has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations. “In this activity, RedAlpha very likely sought to gain access to email accounts and other online communications of targeted individuals and organizations, ” Recorded Future disclosed in a new report. A lesser-known threat actor, RedAlpha was first documented by Citizen Lab in January 2018 and has a history of conducting cyber espionage and surveillance operations directed against the Tibetan community, some in India, to facilitate intelligence collection through the deployment of the NjRAT backdoor.”
Tomi Engdahl says:
Chrome browser gets 11 security fixes with 1 zero-day update now!
https://nakedsecurity.sophos.com/2022/08/17/chrome-browser-gets-11-security-fixes-with-1-zero-day-update-now/
The latest update to Google’s Chrome browser is out, bumping the four-part version number to 104.0.5112.101 (Mac and Linux), or to
104.0.5112.102 (Windows). According to Google, the new version includes 11 security fixes, one of which is annotated with the remark that “an exploit [for this vulnerability] exists in the wild”, making it a zero-day hole.
Tomi Engdahl says:
Malware devs already bypassed Android 13′s new security feature https://www.bleepingcomputer.com/news/security/malware-devs-already-bypassed-android-13s-new-security-feature/
Android malware developers are already adjusting their tactics to bypass a new Restricted setting’ security feature introduced by Google in the newly released Android 13. In previous Android versions, most mobile malware found its way inside millions of devices via dropper apps available on the Play Store, which masquerade as legitimate apps.
In Android 13, Google’s security engineers introduced a Restricted setting’ feature, which blocks sideloaded applications from requesting Accessibility Service privileges, limiting the function to Google Play-sourced APKs. To bypass the Restricted setting’, session-based installation is used to perform a multi-staged installation of malware onto an Android device by splitting the packages (APKs) into smaller pieces and giving them identical names, version codes, and signing certificates. This way, Android won’t see the payload installation as sideloading the APK, and thus Android 13′s Accessibility Service restrictions won’t apply.
Tomi Engdahl says:
CISA and FBI issue alert about Zeppelin ransomware https://www.malwarebytes.com/blog/news/2022/08/cisa-and-fbi-issue-alert-about-zeppelin-ransomware
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory (CSA) about Zeppelin ransomware. The advisory contains indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with ransomware variants identified through FBI investigations as recently as June 21, 2022. Zeppelin, aka Buran, is a ransomware-as-a-service (RaaS) written in Delphi and built upon the foundation of VegaLocker. Due to the RaaS model there are several methods in use to gain initial access. The CSA mentions RDP exploitation, SonicWall firewall exploits, and phishing campaigns. In earlier days, Malwarebytes’ researchers found a malvertising campaign that dropped Zeppelin ransomware as one of the possible payloads.
While anyone can fall victim to these threat actors, the FBI noted that this malware has been used to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.
Tomi Engdahl says:
Brazilian police launch investigation targeting Lapsus$ group https://therecord.media/brazilian-police-launch-investigation-targeting-lapsus-group/
Brazil’s Federal Police carried out eight search and seizure warrants Tuesday as part of an investigation into attacks claimed by the Lapsus$ Group that disrupted the country’s Ministry of Health last December, the agency announced in a press release. Police did not specifically name Lapsus$ Group in the announcement. However, the details described line up with the Lapsus$ Group attack and the agency wrote that the investigation connected the attacks to a “transnational criminal organization” focused on cybercrime “targeting public and private entities in Brazil, the United States, Portugal and Colombia.”. In addition to the Ministry of Health, Brazilian police wrote, the attacker infiltrated nine other local entities including the Ministry of the Economy and the National Electric Energy Agency.
Tomi Engdahl says:
iOS VPNs have leaked traffic for more than 2 years, researcher claims https://arstechnica.com/information-technology/2022/08/ios-vpns-still-leak-traffic-more-than-2-years-later-researcher-claims/
A security researcher says that Apple’s iOS devices don’t fully route all network traffic through VPNs, a potential security issue the device maker has known about for years. Michael Horowitz, a longtime computer security blogger and researcher, puts it plainlyif contentiouslyin a continually updated blog post. “VPNs on iOS are broken, ” he says. Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz’s findings with advanced router logging, can still send data outside the VPN tunnel while it’s active.
Tomi Engdahl says:
Security Firms Find Over 20 Malicious PyPI Packages Designed for Data Theft
https://www.securityweek.com/security-firms-find-over-20-malicious-pypi-packages-designed-data-theft
Security companies have identified more than 20 malicious PyPI packages designed to steal passwords and other sensitive information from the victims’ machines.
Kaspersky is warning of two such packages – ‘ultrarequests’ and ‘pyquest’ – that were masquerading as ‘requests’, a highly popular open source package. The malicious repositories copied the description from the legitimate package and contained fake statistics.
The malicious packages contained nearly identical code as ‘requests’, but were designed to write to a temporary file a one-liner Python script designed to fetch a next-stage script that in turn downloads and executes the final payload.
Called ‘W4SP Stealer’, the final payload is a Python trojan that collects saved cookies and passwords from browsers and Discord tokens, and sends them to the threat actor via a Discord webhook.
“The stealer also creates and sends a list of saved browser credentials for the URLs containing keywords ‘mail’, ‘card’, ‘bank’, ‘buy’, ‘sell’, etc. Apart from that, it gathers data from the MetaMask, Atomic and Exodus wallets, as well as Steam and Minecraft credentials,” Kaspersky explains.
https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/
Tomi Engdahl says:
Security Analysis Leads to Discovery of Vulnerabilities in 18 Electron Applications
https://www.securityweek.com/security-analysis-leads-discovery-vulnerabilities-18-electron-applications
A team of researchers from various companies has analyzed Electron-based desktop applications and ended up discovering vulnerabilities in several widely used pieces of software.
Electron is a free and open source framework for developing cross-platform desktop applications. It has been used to build some very popular applications, including Microsoft Teams, WhatsApp, and Slack.
The research project targeting Electron apps has been dubbed ElectroVolt and the findings were presented last week at the Black Hat conference.
Mohan Sri Rama Krishna Pedhapati, a security consultant at Cure53 and one of the researchers involved in the project, told SecurityWeek that they have identified vulnerabilities in 18 applications. Impacted vendors have been informed and they all released patches.
Security holes have been found in Microsoft Teams, Discord, Visual Studio Code, Basecamp, Mattermost, Element, Notion, JupyterLab, and Rocket.Chat, among others.
Tomi Engdahl says:
Quarterly Security Patches Released for Splunk Enterprise
https://www.securityweek.com/quarterly-security-patches-released-splunk-enterprise
Splunk this week announced the release of a new set of quarterly patches, to address multiple vulnerabilities in Splunk Enterprise.
The most important of the bugs – based on its severity rating – is a high-severity TLS certificate validation issue in the Ingest Actions user interface.
“When using Ingest Actions to configure a destination that resides on Amazon Simple Storage Service (S3) in Splunk Web, TLS certificate validation is not correctly performed and tested for the destination,” Splunk explains in its advisory.
Tracked as CVE-2022-37437, the security bug only impacts connections between Splunk Enterprise and an Ingest Actions Destination that are made through Splunk Web. Only environments with TLS certificate validation configured are impacted.
According to Splunk, Destinations configured directly in the outputs.conf configuration file are not impacted. Splunk Enterprise versions before 9.0.0 are not affected. The security flaw was resolved in Splunk Enterprise version 9.0.1.
Another vulnerability Splunk addressed this week is CVE-2022-37439, a medium-severity issue that could lead to a crash when indexing a maliciously formed ZIP file using the file monitoring input. The application will crash even after a restart, requiring the manual removal of the malicious file.
Ingest Actions UI in Splunk Enterprise 9.0.0 disabled TLS certificate validation
https://www.splunk.com/en_us/product-security/announcements/svd-2022-0801.html
Tomi Engdahl says:
Iranian Group Targeting Israeli Shipping and Other Key Sectors
https://www.securityweek.com/iranian-group-targeting-israeli-shipping-and-other-key-sectors
Mandiant has been tracking an activity cluster from what it believes is a single Iranian threat group that has been targeting Israeli interests, especially the shipping industry. The activity was first noted in late 2020 and is ongoing in mid-2022. Mandiant has named the group UNC3890.
Although the group’s targeting is regionally focused on Israel, some of the targets are global organizations – meaning there could be a ripple effect across other regions. The primary targets are government, shipping, energy, aviation and healthcare sectors.
There is a strong focus on Israeli shipping. “While we believe this actor is focused on intelligence collection,” say the researchers in an analysis, “the collected data may be leveraged to support various activities, from hack-and-leak, to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years.”
UNC3890’s initial access has been via watering holes and credential harvesting. The latter used the group’s C2 servers masquerading as legitimate services to harvest credentials and send phishing lures. The servers host domains and fake login pages spoofing legitimate services such as Office 365, social networks such as LinkedIn and Facebook, and deliver fake job offers and fake commercials. The researchers also found a UNC3890 server containing scraped Facebook and Instagram details that could have been used in social engineering attacks.
Tomi Engdahl says:
SEC Charges 18 Over Scheme Involving Hacked Brokerage Accounts
https://www.securityweek.com/sec-charges-18-over-scheme-involving-hacked-brokerage-accounts
Tomi Engdahl says:
81% of Malware Seen on USB Drives in Industrial Facilities Can Disrupt ICS: Honeywel
https://www.securityweek.com/81-malware-seen-usb-drives-industrial-facilities-can-disrupt-ics-honeywell
A significant percentage of the malware seen last year on USB drives used in industrial facilities was capable of targeting and disrupting industrial control systems (ICS), according to a report published this week by Honeywell.
The industrial giant has published its fourth annual report focusing on the malware found by one of its dedicated security products on the USB drives that were brought into its customers’ industrial environments.
Honeywell’s analysis of the data found that the percentage of industrial-specific malware has increased to 32%, from 30% in the 2021 report and 11% in the 2020 report. The percentage of malware designed to propagate over USB or to specifically exploit USB for infection increased to 52%, significantly higher than the 37% seen in 2021.
There has also been a slight increase in malware that can cause disruption to operational technology (OT) systems — this includes loss of control or loss of view. Specifically, 81% of the malware detected by Honeywell’s product on USB drives was disruptive, up from 79% in 2021.
Tomi Engdahl says:
Apple Patches New macOS, iOS Zero-Days
https://www.securityweek.com/apple-patches-new-macos-ios-zero-days
Apple on Wednesday rolled out emergency patches for a pair of already exploited zero-day vulnerabilities in its flagship macOS and iOS platforms.
Apple confirmed in-the-wild exploitation of the vulnerabilities in separate advisories warning about code execution flaws in fully patched iPhone, iPad and macOS devices.
Barebones details from Apple’s advisories:
CVE-2022-32894 (kernel) – An application may be able to execute arbitrary code with kernel privileges. An out-of-bounds write issue was addressed with improved bounds checking. Apple is aware of a report that this issue may have been actively exploited.
CVE-2022-32893 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution. An out-of-bounds write issue was addressed with improved bounds checking. Apple is aware of a report that this issue may have been actively exploited.
The patches are being pushed to Apple’s auto-update mechanism (macOS Monterey 12.5.1, iOS 15.6.1 and iPadOS 15.6.1).
Apple did not release any details on the live exploitation or any indicators of compromise to help defenders look for signs of infections.
Tomi Engdahl says:
Andrew Cunningham / Ars Technica:
iOS, iPadOS, and macOS receive updates to fix kernel and WebKit security flaws that allowed arbitrary code execution and were reportedly being exploited — Kernel and WebKit bugs can allow arbitrary code execution on Apple’s devices. — Apple has released a trio of operating system updates …
New macOS 12.5.1 and iOS 15.6.1 updates patch “actively exploited” vulnerabilities
Kernel and WebKit bugs can allow arbitrary code execution on Apple’s devices.
https://arstechnica.com/gadgets/2022/08/apple-releases-macos-12-5-1-and-ios-15-6-1-for-actively-exploited-vulnerabilities/
Apple has released a trio of operating system updates to patch security vulnerabilities that it says “may have been actively exploited.” The macOS 12.5.1, iOS 15.6.1, and iPadOS 15.6.1 updates are available for download now and should be installed as soon as possible.
The three updates all fix the same pair of bugs. One, labeled CVE-2022-32894, is a kernel vulnerability that can allow apps “to execute arbitrary code with kernel privileges. The other, CVE-2022-32893, is a WebKit bug that allows for arbitrary code execution via “maliciously crafted web content.” Both discoveries are attributed to an anonymous security researcher. WebKit is used in the Safari browser as well as in apps like Mail that use Apple’s WebViews to render and display content.
Tomi Engdahl says:
Manish Singh / TechCrunch:
VideoLan, which develops VLC, says Indian telecom operators have been blocking its website since February 2022; India has 10% of VLC users worldwide — VideoLan, the developer of popular media player VLC, says Indian telecom operators have been blocking its website since February of this year …
VLC says India internet providers blocking site poses threat to users
https://techcrunch.com/2022/08/17/vlc-india/
VideoLan, the developer of popular media player VLC, says Indian telecom operators have been blocking its website since February of this year in a move that is potentially impacting some users in one of the open source firm’s largest markets.
“Most major ISPs [internet service providers] are banning the site, with diverse techniques,” VideoLan president and lead developer Jean-Baptiste Kempf said of the blocking in India, in an email to TechCrunch.
The telecom operators began blocking the VideoLan website on February 13 of this year, when the site saw a drop of 80% in traffic from the South Asian market, he said.
India represents 10% of all VLC users worldwide, he said. The website’s traffic has seen an overall drop of 20% as a result of the blocking in India.
Indian telecom operators have not explained why they have blocked the VideoLan website, but some speculate that it could be because of a misinterpretation of a security warning from earlier this year.
Tomi Engdahl says:
Petteri Järvinen esitti kovan uhkakuvan Sanna Marinin videokohusta: ”Onko joku todella niin typerä?” https://www.iltalehti.fi/kotimaa/a/e2579317-e2b5-41ae-ae42-85c2c7d30089
Tomi Engdahl says:
Marinin bilevideo levisi heti ulkomaille – näin sitä on kommentoitu
Sosiaalisessa mediassa kiertävä video on herättänyt myös kansainvälistä huomiota.
https://www.is.fi/kotimaa/art-2000009011590.html
My take: if she’s doing a good job, this is charming. If she’s not, this is offensive. In a democracy, voters will tolerate eccentricity & frivolity, but only so long as you deliver.
Tomi Engdahl says:
”Muuvit kuin Marinilla” – pääministerin bilevideo nousi otsikoihin Australiassa asti
Pääministerin tansseista vuodettu video on noussut otsikoihin maapallon joka laidalla Australiaa ja Argentiinaa myöten. Saksalaismediat ovat vetäneet mutkat suoriksi ja nimenneet juhlat ”koksubileiksi”.
https://www.iltalehti.fi/ulkomaat/a/b7917809-5b6e-4dc2-98ce-55e4f2eb58ef
Finland’s 36-year-old Prime Minister @MarinSanna is facing her own #PartyGate today after a video was leaked to the media.
People can be heard shouting in the background about cocaine.
Finnish media seems to overwhelmingly believe that it’s not a good look for a PM.
Tomi Engdahl says:
Petteri Järvinen esitti kovan uhkakuvan Sanna Marinin videokohusta: ”Onko joku todella niin typerä?”
Petteri Järvisen mukaan pääministeri Marinin juhlimisesta tuotetut videot ovat ”syöttö disinformaatikkojen lapaan”.
https://www.iltalehti.fi/kotimaa/a/e2579317-e2b5-41ae-ae42-85c2c7d30089
Tietoturva-asiantuntija Petteri Järvinen arvioi Iltalehdelle, että Venäjällä voi olla osuutta pääministeri Sanna Marinista (sd) kuvattujen bilevideoiden levittämiseen.
– Voi olla, että joku sometili tai puhelin, jossa videot ovat, on hakkeroitu tai murrettu venäläisten toimesta, Järvinen arvioi.
– Vai onko joku todella niin typerä, että on pääministerin juhlissa kuvannut tällaista ja laittanut itse someen? Alkeellinen järkikin pitäisi sanoa, että tällaista ei pitäisi julkaista, hän pohtii.
Järvisen mukaan Marinin juhlimisesta levinneissä videoissa piilee suuri informaatiovaikuttamisen riski. Hän arvioi, että venäläiset voisivat tulevaisuudessa manipuloida videoita, mikäli niitä vuotaa julkisuuteen lisää.
– Se on nykyään todella helppoa. Silloin emme osaa enää erottaa videoita aidoista. Seuraavassa videossa voisi olla jotain todella vaarallista, hän sanoo.
Tomi Engdahl says:
Marin: En ole käyttänyt huumeita – videot otettu muutama viikko sitten, luotin ettei niitä vuodeta
Pääministeri Sanna Marinin (sd) juhlimista kuvaava video on herättänyt paljon keskustelua. Pääministeri kommentoi videota Kuopiossa.
https://www.iltalehti.fi/politiikka/a/0de02690-e813-4ced-88ed-3ee8123f16be
Tomi Engdahl says:
https://www.securityweek.com/digitalocean-discloses-impact-recent-mailchimp-cyberattack
Tomi Engdahl says:
https://www.securityweek.com/russian-man-extradited-us-laundering-ryuk-ransomware-money
A Russian national has been extradited from the Netherlands to the United States, where he faces charges related to his alleged role in the Ryuk ransomware operation.
Tomi Engdahl says:
SynSaber Raises $13 Million for OT Asset and Network Monitoring Solution
https://www.securityweek.com/synsaber-raises-13-million-ot-asset-and-network-monitoring-solution
SynSaber, a startup that specializes in protecting industrial control systems (ICS) and other operational technology (OT), announced on Thursday that it has raised $13 million in Series A funding.
Tomi Engdahl says:
Evasive ‘DarkTortilla’ Crypter Delivers RATs, Targeted Malware
https://www.securityweek.com/evasive-darktortilla-crypter-delivers-rats-targeted-malware
Secureworks security researchers have analyzed ‘DarkTortilla’, a .NET-based crypter used to deliver both popular malware and targeted payloads.
Likely active since 2015, DarkTortilla was designed to keep malicious payloads hidden from detection software, and was previously seen delivering remote access trojans (RATs) and information stealers – AgentTesla, AsyncRat, NanoCore, and RedLine – as well as targeted payloads such as Cobalt Strike and Metasploit.
Tomi Engdahl says:
North Korean Hackers Use Fake Job Offers to Deliver New macOS Malware
https://www.securityweek.com/north-korean-hackers-use-fake-job-offers-deliver-new-macos-malware
Researchers with cybersecurity company ESET have observed a new macOS malware sample developed by the infamous North Korean advanced persistent threat (APT) actor Lazarus.
Believed to be backed by the North Korean government, Lazarus has been active since at least 2009, orchestrating various high-profile attacks, including numerous assaults on cryptocurrency entities.
Also referred to as Hidden Cobra, Lazarus is believed to comprise multiple subgroups, the activities of which often overlap, the same as their tools.
Over the past couple of years, Lazarus has been targeting various entities – including defense and governmental organizations and companies in the chemical sector – with fake job offers and sophisticated social engineering.
ESET now warns that Lazarus is once again relying on fake job offerings for the distribution of malware, as a continuation of an attack detailed in May, which relied on similar decoy documents for the distribution of Windows and macOS malware.
“A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil. This is an instance of Operation In(ter)ception by #Lazarus for Mac,” ESET said on Twitter.
Tomi Engdahl says:
Google Confirms Chrome Zero-Day #5 As Attacks Begin, Update Now
https://www.forbes.com/sites/daveywinder/2022/08/18/google-confirms-chrome-zero-day-5-as-attacks-begin-update-now/?sh=2605332b647b&utm_source=ForbesMainFacebook&utm_campaign=socialflowForbesMainFB&utm_medium=social